Channels

Services

Backdoors in industrial control systems

The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warns of backdoors in a standard network module for control systems, the Schneider Electric Quantum Ethernet Module. Security expert Rubén Santamarta discovered that these components include several accounts with hard-coded passwords that can be accessed, for example, via FTP, telnet and a debug service at UDP port 17185.

This is how Schneider Electric describes a typical deployment scenario for its devices.
Source: Schneider Electric

Modules such as "NOE 771" are used as network interfaces for Programmable Logic Controllers (PLCs); Schneider Electric uses them in its SIL3 Modicon Quantum PLC for "emergency shut down" and "fire and gas detection" systems. Santamarta notified the ICS-CERT some time ago, and the vendor appears to have developed a firmware update in which the telnet and debug services are no longer enabled by default. However, the company is currently still testing the update for compatibility.

A NOE 771
This situation is dangerous because such systems are often insufficiently protected against intrusions; at worst, they are even accessible via the internet. Only a few days ago, the ICS-CERT renewed its warning that control systems can easily be identified via such tools as the Shodan search engine. The H's associates at heise Security managed to track down several vulnerable systems almost straight away. Administrators of systems that include one of the affected modules should, therefore, test immediately whether the module is accessible via the internet.

Those who are interested in knowing how hackers track down security holes in SCADA and other control systems can find an informative description in Santamarta's report, "Reversing industrial firmware for fun and backdoors". For example, Santamarta describes in detail how he analysed the firmware and identified the services that are enabled by default, complete with their access data.